NCM Config Archive security.

Question

NCM stores all backed up configurations on the local server in clear text format so they are available to anyone who can browse the server file system. Is there a way of storing them more securely? Encryption? I really want to know that if the server file system is compromised, the stored configs have a further layer of protection.

rschroeder · Answer

Folders within the local archive are (or SHOULD BE) protected by proper network permissions.  A VERY few accounts should be allowed to access that archive--the NCM machine or service account, the SYSTEM account, and people who are in the local Server Administrator group for that engine.

Active Directory / NTFS permissions must be configured to only allow the minimum number of trusted Machine or user accounts.

Files should be archived long-term to a network share that is backed up automatically.  The archive location should also have the same kinds of restricted access mentioned above.

Further encryption of the local or long-term archive areas might prove problematic in that there's no automated way to unencrypt them for restores or use in SWQL commands and queries.

Set your Windows Security Administrators the task of understanding the permissions required by machine accounts and users for these areas and ensure any changes are tested against NCM's Jobs and needs.

Swift Packets!

Rick Schroeder